ISO 27001:2005 Domains ISO/IEC 27001:2005

1 iso 27001:2005 domains

1.1 asset management

1.1.1 asset register
1.1.2 asset classification
1.1.3 asset labeling


1.2 access control

1.2.1 user registration
1.2.2 password management
1.2.3 clear work environment
1.2.4 operating system & application control
1.2.5 network security

iso 27001:2005 domains
asset management

asset management components

the asset register documents assets of company or scope in question. asset management domain deals analyzing , attaining necessary level of protection of organizational assets. typical objectives of asset management domain identify , create inventory of assets, establish ownership on assets identified, establish set of rules acceptable use of assets, establish framework classification of assets, establish asset labeling , handling guideline. asset management, broadly defined, refers system monitors , maintains things of value entity or group. may apply both tangible assets such buildings , intangible concepts such intellectual property , goodwill.

an asset has value organization. assets can include infrastructure (e.g. buildings, store houses, towers etc.), physical assets (computer equipment, communications, utility equipment, heavy machinery), software assets (applications, software code, development tools, operational software etc.), information (database information, legal documentation, manuals, policies & procedures, organizational documents etc.), services (transport, air conditioning, communications, utilities etc.), people (management, skills, experience etc.) , imperceptible (reputation, image etc.). consider assets have been shared client (client related documents, h/w, s/w).

asset management systematic process of operating, maintaining, upgrading, , disposing of assets cost-effectively. organizations need identify assets , create , maintain security controls around them. each asset, designated owner (any team, designation) needs identified (it s better avoid using person s name) responsible implementation of appropriate security controls. when creating asset management policy, organization needs define scope of policy (which parts of organization covered under policy), responsibility (who responsible policy), compliance (is compliance mandatory or not, guidelines follow), waiver criteria (on basis can ask waiver) , effective date (from when when policy applicable).

typical policy statements asset management include:

all assets shall identified, documented , regularly (define periodicity) updated in asset register
all assets shall have designated owners , custodians listed in asset register
all assets have respective cia (confidentiality, integrity , availability) rating established in asset register
all employees shall use company assets according acceptable use of assets procedures
all assets shall classified according asset classification guideline of company

asset register

typically business functions required maintain asset register of business units. asset register required contain, @ minimum, following information assets: asset identifier, asset name, type , location of assets; name of function , process uses asset, asset owner, custodian , user , cia (confidentiality, integrity, availability) ratings of asset. organizations can choose include additional information in asset register deemed necessary; example, assets can have ip addresses part of asset register.

for asset registers, primary person responsible asset register needs identified. typically business unit head or director owner of asset register , recognized functional heads identified asset custodians. asset owner accountable comprehensive protection of assets owned him/her. asset owner may delegate responsibility of applying relevant controls maintenance of assets individual/ function referred ‘asset custodian’. responsibility of asset custodian implement appropriate security controls required protection of information assets. responsibility of employees , third party staff maintain confidentiality, integrity , availability of assets use.

asset classification

assets need classified in order provide appropriate level of protection category of assets. information assets need classified in terms of value, requirements , criticality business operations of company. typical company classification guidelines follow restrictive principles.

asset labeling

all important , critical assets company shall labeled physically / electronically per information labeling , handling procedures of company. asset owners required ensure assets appropriately labeled (marked) ease of identification. may exclude information classified ‘public’. each classification level, handling procedures should include assets introduction; secure processing, storage; transmission , destruction. classification level must indicated wherever possible forms of physical / electronic information sensitive in nature. example: subject of email stamped “confidential” etc.

access control

the access control domain deals implementation of access controls across electronic forms of information processing systems operating systems, applications, networks or mobile platforms. access control selective restriction of access place or other resource. typically organization s access control policy establishes requirement of controls need implemented controlling access information, information processing facilities , business processes on basis of business , security requirements. policy should aim control assimilation, authorization, , dissemination of information in controlled manner. typical organizational objectives of access control policy establish procedure user registration , de-registration, establish procedure grant correct level of access privilege, establish procedure control password use, password change , password removal, establish procedure managements review of access rights, establish procedure unattended equipment, maintain clear desk policy, establish procedure control network service access, establish control method authentication of remote users, establish procedure configuration ports, establish procedure segregate networks, establish procedure use precise routing controls, establish procedure control system utilities , establish procedure secure communications on mobile computing devices.

user registration

a registered user 1 uses information processing facility , provides his/her credentials, proving his/her identity. speaking, person can become registered user providing credentials, in form of username (or email) , password. after that, 1 can access information , privileges unavailable non-registered users, referred guests. action of providing proper credentials system called logging in, or signing in. without proper policies govern user registration, unauthorized people can gain access confidential company information , leak out causing harm organization economic status , repute. organizations need establish user registration procedure shall include controls operating systems , applications access.

typical policy statements can include:

all users shall have unique user id based on standard naming convention
a formal authorization process shall defined , followed provisioning of user ids.
an audit trail shall kept of requests add, modify or delete user accounts/ids
user accounts shall reviewed @ regular intervals
employee shall sign privilege form acknowledging access rights
access rights revoked employee changes or leaving jobs
privileges shall allocated individuals on ‘need-to-have’ basis.
a record of privilege accounts shall maintained , updated on regular basis

password management

the password management deals allocation, regulation , change of password rules of organization. organizations face significant security exposure in course of routine operations. example, dozens of system administrators may share passwords privileged accounts on thousands of devices. when system administrators move on, passwords used during work remain unchanged, leaving organizations vulnerable attack former employees , contractors.

weak password management means sensitive passwords least defended. need coordinate password updates among multiple people , programs makes changing sensitive passwords technically difficult. inability secure sensitive passwords exposes organizations variety of security exploits. strong, manual controls on access privileged accounts may create unanticipated risks, such impaired service in operations , escalation of physical disasters 1 site entire organization. inability associate administrative actions people initiated them may violate internal control requirements.

clear work environment

the clear work environment can go long way in securing organizations security situation. important organizational documents lying around on employee’s desks open individuals within company. main reasons clean desk policy manifold including: clean desk can produce positive image when our customers visit company; reduces threat of security incident confidential information locked away when unattended, sensitive documents left in open can stolen malicious entity.

example of clear work environment policies include:

critical information shall protected when not required use
only authorized users shall use photocopier machines
all loose documents employee’s desks shall confiscated @ end of business day
a users desktop shall not contain reference document directly or indirectly

operating system & application control

management of configurable security controls built operating system or application. in scope of isms framework, objective ensure system / application security settings restrictive enough protect system (information) whilst not adversely impacting availability business (end user).

if attacker can view s username , password, can impersonate user, , massive damage modifying critical information, read corporate emails, damage corporate websites etc. procedure log operating system or application control should minimize risk of unauthorized access. procedure shall therefore follow strict set of rules govern information displayed potential user during process of log-in.

sample operating system , application control policies include:

all users in organization shall have unique id
no systems or application details shall displayed before log-in
in condition of log-in failure, error message shall not indicate part of credential incorrect
the number of unsuccessful log-in attempts shall limited 3/5/6 attempts
during log-in process, password entries shall hidden symbol
the use of system utility program shall restricted e.g. password utility
all operating systems , application shall time out due inactivity in 5/10/15/30 minutes
all applications shall have dedicated administrative menus control access rights of users

network security

network security assumes importance organization when viewed in light networks change new users , devices added , newer data communication technologies introduced, usage of various networking, communications, , computing technologies meet expanding need, sensitive data increasingly transmitted on networks, proliferation of internet access has increased vulnerability employees use internet more information , knowledge.

the primary objectives of network security policy should ensure access company’s network provided authorized users, adequate controls in place manage remote users, equipment can recognized uniquely, networks should segregated based on needs, , appropriate network routing protocols enabled.

typical policy statements network security include:

appropriate authentication mechanisms shall used control access remote users.
allocation of network access rights shall provided per business , security requirements
two-factor authentication shall used authenticating users using mobile/remote systems